<html>
<head><meta charset="utf-8"><title>How do programmers use unsafe Rust? · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html">How do programmers use unsafe Rust?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="211421955"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211421955" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211421955">(Sep 27 2020 at 15:47)</a>:</h4>
<p>This paper seems like it would be interesting for the WG: <a href="http://people.inf.ethz.ch/summersa/wiki/lib/exe/fetch.php?media=papers:unsafe-corpus.pdf">http://people.inf.ethz.ch/summersa/wiki/lib/exe/fetch.php?media=papers:unsafe-corpus.pdf</a></p>



<a name="211422004"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422004" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422004">(Sep 27 2020 at 15:48)</a>:</h4>
<p>Cc <span class="user-mention" data-user-id="116109">@Vytautas Astrauskas</span> (one of the authors) -- nice work getting more concrete numbers into this discussion :)</p>



<a name="211422162"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422162" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422162">(Sep 27 2020 at 15:52)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hwo.20do.20programmers.20Use.20unsafe.20Rust.3F/near/211422004">said</a>:</p>
<blockquote>
<p>Cc <span class="user-mention silent" data-user-id="116109">Vytautas Astrauskas</span> (one of the authors) -- nice work getting more concrete numbers into this discussion :)</p>
</blockquote>
<p>Thanks! <span aria-label="smiling face" class="emoji emoji-263a" role="img" title="smiling face">:smiling_face:</span></p>



<a name="211422182"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422182" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422182">(Sep 27 2020 at 15:53)</a>:</h4>
<p>I am a bit buried now under my teaching stuff, but if you have any questions I will try to answer them.</p>



<a name="211422406"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422406" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422406">(Sep 27 2020 at 15:58)</a>:</h4>
<p>The Jupyter notebooks are <a href="https://github.com/rust-corpus/qrates/tree/master/reports">here</a> and the CSV files can be downloaded from <a href="https://pmserver.inf.ethz.ch/rust-corpus/query-results.tar.gz">here</a>. The CSV files are generated by our CI; if you notice that they are broken, please let me know.</p>



<a name="211422652"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422652" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422652">(Sep 27 2020 at 16:04)</a>:</h4>
<p>Also, if somebody knows how to set up a public internet facing Jupyter notebook without introducing a severe safety risk on our server, I could do that to support people who are interested in running their own analysis but do not have a powerful machine for that.</p>



<a name="211422742"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422742" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Teymour Aldridge <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422742">(Sep 27 2020 at 16:06)</a>:</h4>
<p>Would using Google Colaboratory work? (they provide a free hosted environment for Jupyter notebooks, with GPU access as well as TPUs, Google's proprietary ASIC chips)</p>



<a name="211422752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211422752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Teymour Aldridge <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211422752">(Sep 27 2020 at 16:07)</a>:</h4>
<p>I realise it's not ideal pointing people to Google, but in this case it might work (doesn't require log in, with the option to save one's work)</p>



<a name="211423046"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423046" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423046">(Sep 27 2020 at 16:14)</a>:</h4>
<p>Sounds like an option. How much space do they give?</p>



<a name="211423297"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423297" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423297">(Sep 27 2020 at 16:20)</a>:</h4>
<p>That metadata database much have cost a fortune to build, since you have to compile every single crate from <a href="http://crates.io">crates.io</a>. <br>
I've attempted some source code analysis on <a href="http://crates.io">crates.io</a> in the past, but didn't go beyond <code>rg</code> queries.<br>
I did get a rough measure of the percentage of unsafe code though: <a href="https://www.reddit.com/r/rust/comments/g0wu9b/">https://www.reddit.com/r/rust/comments/g0wu9b/</a></p>



<a name="211423368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423368">(Sep 27 2020 at 16:22)</a>:</h4>
<p>I wonder, how long did it take to compile all of <a href="http://crates.io">crates.io</a> via <code>rustwide</code> on your server?</p>



<a name="211423378"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423378" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423378">(Sep 27 2020 at 16:23)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hwo.20do.20programmers.20Use.20unsafe.20Rust.3F/near/211423297">said</a>:</p>
<blockquote>
<p>That metadata database much have cost a fortune to build, since you have to compile every single crate from <a href="http://crates.io">crates.io</a>. </p>
</blockquote>
<p>We are using Rustwide and we compile only the newest version of each package.</p>



<a name="211423387"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423387" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423387">(Sep 27 2020 at 16:23)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hwo.20do.20programmers.20Use.20unsafe.20Rust.3F/near/211423368">said</a>:</p>
<blockquote>
<p>I wonder, how long did it take to compile all of <a href="http://crates.io">crates.io</a> via <code>rustwide</code> on your server?</p>
</blockquote>
<p>It takes a week.</p>



<a name="211423521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423521">(Sep 27 2020 at 16:26)</a>:</h4>
<p>To compile all versions of all packages, we would need a server with more space (not a big problem) and to optimize the query engine to actually be able to handle such things.</p>



<a name="211423556"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423556" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423556">(Sep 27 2020 at 16:27)</a>:</h4>
<p>Oh, that's far more tractable than I expected! I believe crater compiles all versions, which is why it's slow.</p>



<a name="211423611"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423611" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423611">(Sep 27 2020 at 16:28)</a>:</h4>
<p>The infrastructure is in many aspects naïve, but it allowed us to get the results so we did not spend much time optimizing it.</p>



<a name="211423626"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423626" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423626">(Sep 27 2020 at 16:29)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hwo.20do.20programmers.20Use.20unsafe.20Rust.3F/near/211423556">said</a>:</p>
<blockquote>
<p>Oh, that's far more tractable than I expected! I believe crater compiles all versions, which is why it's slow.</p>
</blockquote>
<p>A crater run, if I am not mistaken, takes around three days for <code>cargo check</code> (which is basically what we do).</p>



<a name="211423671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423671">(Sep 27 2020 at 16:30)</a>:</h4>
<p>However, I think the full crater pass does <code>cargo test</code>, which is much slower.</p>



<a name="211423697"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423697" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423697">(Sep 27 2020 at 16:31)</a>:</h4>
<p>I've been warned not to try it because it's going to take months on commodity hardware. I'm glad that whoever told me that was mistaken!</p>



<a name="211423762"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423762" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423762">(Sep 27 2020 at 16:33)</a>:</h4>
<p>Oh nice, safety-dance got a shoutout <span aria-label="blush" class="emoji emoji-1f60a" role="img" title="blush">:blush:</span></p>



<a name="211423811"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423811" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423811">(Sep 27 2020 at 16:34)</a>:</h4>
<p>By the way, if you are interested in the latest data, rerunning the compilation regularly is not a problem as long as we manage to keep up with the compiler API (which is a pain, unfortunately).</p>



<a name="211423890"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423890" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423890">(Sep 27 2020 at 16:36)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hwo.20do.20programmers.20Use.20unsafe.20Rust.3F/near/211423697">said</a>:</p>
<blockquote>
<p>I've been warned not to try it because it's going to take months on commodity hardware. I'm glad that whoever told me that was mistaken!</p>
</blockquote>
<p><code>cargo check</code> on the latest versions of all packages is definitely possible within one week on a stronger laptop.</p>



<a name="211423976"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211423976" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211423976">(Sep 27 2020 at 16:39)</a>:</h4>
<p>However, this could be the result of the work that the Rustwide team did in the last year. For example, if you disable caching, then it takes much much longer.</p>



<a name="211424058"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211424058" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211424058">(Sep 27 2020 at 16:41)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hwo.20do.20programmers.20Use.20unsafe.20Rust.3F/near/211423697">said</a>:</p>
<blockquote>
<p>I've been warned not to try it because it's going to take months on commodity hardware. I'm glad that whoever told me that was mistaken!</p>
</blockquote>
<p>that's <a href="http://docs.rs">docs.rs</a>, not crater</p>



<a name="211424097"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211424097" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211424097">(Sep 27 2020 at 16:42)</a>:</h4>
<p><a href="http://docs.rs">docs.rs</a> compiles <em>all</em> versions, crater just compiles the latest</p>



<a name="211424100"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211424100" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211424100">(Sep 27 2020 at 16:42)</a>:</h4>
<p>(it was me that told you :P)</p>



<a name="211425913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211425913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211425913">(Sep 27 2020 at 17:26)</a>:</h4>
<p>Ah, that makes sense <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="211428455"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211428455" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211428455">(Sep 27 2020 at 18:34)</a>:</h4>
<p>crater doesn't compile the latest, but generally a locked version (depending on why it is run)</p>



<a name="211461432"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211461432" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211461432">(Sep 28 2020 at 07:53)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211423556">said</a>:</p>
<blockquote>
<p>Oh, that's far more tractable than I expected! I believe crater compiles all versions, which is why it's slow.</p>
</blockquote>
<p>(I don't think so, O never saw more than one version of a crate regress in a crater run and that seems unlikely if all versions are tested.)</p>



<a name="211461555"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211461555" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211461555">(Sep 28 2020 at 07:54)</a>:</h4>
<p>Yeah that database you build <span class="user-mention" data-user-id="116109">@Vytautas Astrauskas</span> sounds like it could be useful for other things as well, that's why <span class="user-mention" data-user-id="116009">@nikomatsakis</span> proposed it after all</p>



<a name="211461608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211461608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211461608">(Sep 28 2020 at 07:55)</a>:</h4>
<p>as an example, how hard would it be to answer a question like "how many crates create references to packed fields, inside or outside unsafe blocks" (and would thus be affected by finally making that a hard error)?</p>



<a name="211461718"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211461718" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211461718">(Sep 28 2020 at 07:56)</a>:</h4>
<p>regarding the paper itself, the only thing so far that made be go "hu?" was looking for synchronization intrinsics -- not only are they unstable as you say, but they also have stable alternatives via the <code>Atomic*</code> types. I'd expect most unsafe code that needs synchronization to use these stable types for that purpose instead of the unstable intrinsics.</p>



<a name="211482593"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211482593" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211482593">(Sep 28 2020 at 12:02)</a>:</h4>
<p>I am also confused by this statement:</p>
<blockquote>
<p>We observed that many functions are declared unsafe despite not employing any of the language<br>
features which the compiler requires to be used only in unsafe code. This suggests either confusion<br>
on the part of the programmer as to when such blocks are required, legacy reasons (e.g., the same<br>
function must be unsafe on a different platform), or that programmers employ such blocks to<br>
document concerns beyond those that the Rust compiler chooses to associate with unsafe Rust.</p>
</blockquote>
<p>One example of such a function is <code>Vec::set_len</code>. However, this function <em>must be unsafe</em> -- <code>Vec</code> would be unsound if it were marked as safe. So there is another option besides confusion, legacy, and documentaiton; namely: upholding safety requirements of the module that are crucial for unsafe code elsewhere in the module.</p>



<a name="211482797"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211482797" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211482797">(Sep 28 2020 at 12:04)</a>:</h4>
<p>or maybe that is me misunderstanding your terminology; the paper also says unsafe traits serve "purely as documentation feature", which I would disagree with. they are a crucial part of the safety story, as they mark places where extra invariant needs to be manually upheld by clients -- this goes beyond normal documentation.</p>



<a name="211484202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211484202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211484202">(Sep 28 2020 at 12:19)</a>:</h4>
<p><span class="user-mention" data-user-id="116109">@Vytautas Astrauskas</span> is what I linked the latest version of the paper? it says 2018... I guess SPLASH didnt happen yet so the official version is not even out yet? <em>oops</em></p>



<a name="211508820"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211508820" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211508820">(Sep 28 2020 at 15:34)</a>:</h4>
<p>I'd also be interested in a discussion of unsafe features that don't require the <code>unsafe</code>  keyword</p>



<a name="211508871"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211508871" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211508871">(Sep 28 2020 at 15:35)</a>:</h4>
<p>e.g. <a href="https://github.com/rust-lang/rust/issues/28179">https://github.com/rust-lang/rust/issues/28179</a> and <a href="https://github.com/RustSec/advisory-db/issues/275">https://github.com/RustSec/advisory-db/issues/275</a></p>



<a name="211510201"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211510201" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211510201">(Sep 28 2020 at 15:45)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211461608">said</a>:</p>
<blockquote>
<p>as an example, how hard would it be to answer a question like "how many crates create references to packed fields, inside or outside unsafe blocks" (and would thus be affected by finally making that a hard error)?</p>
</blockquote>
<p>Do you mean references to packed <strong>fields</strong> or structs?  I am asking because I do see <a href="https://doc.rust-lang.org/nightly/nightly-rustc/rustc_middle/ty/struct.AdtDef.html#structfield.repr"><code>repr</code></a> on ADTs, but not on <a href="https://doc.rust-lang.org/nightly/nightly-rustc/rustc_middle/ty/struct.FieldDef.html">fields</a>. Anyway, the main problem seems to be that, currently, the extractor does not collect repr information about structs. This should be easy to fix but will require recompiling all packages. To answer your question: it should not require much human work but would take around a week to get an answer. I have opened <a href="https://github.com/rust-corpus/qrates/issues/1">an issue</a>.</p>



<a name="211510834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211510834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Chris Denton <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211510834">(Sep 28 2020 at 15:50)</a>:</h4>
<p><span class="user-mention silent" data-user-id="232545">Joshua Nelson</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211508820">said</a>:</p>
<blockquote>
<p>I'd also be interested in a discussion of unsafe features that don't require the <code>unsafe</code>  keyword</p>
</blockquote>
<p>I think there's an issue that there are unsafe attributes but no way to mark attributes as being unsafe?</p>



<a name="211510906"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211510906" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211510906">(Sep 28 2020 at 15:51)</a>:</h4>
<p>right, that's the first link, the second is macros that expand to <code>unsafe</code></p>



<a name="211511587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211511587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211511587">(Sep 28 2020 at 15:56)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211482593">said</a>:</p>
<blockquote>
<p>I am also confused by this statement:</p>
<blockquote>
<p>We observed that many functions are declared unsafe despite not employing any of the language<br>
features which the compiler requires to be used only in unsafe code. This suggests either confusion<br>
on the part of the programmer as to when such blocks are required, legacy reasons (e.g., the same<br>
function must be unsafe on a different platform), or that programmers employ such blocks to<br>
document concerns beyond those that the Rust compiler chooses to associate with unsafe Rust.</p>
</blockquote>
<p>One example of such a function is <code>Vec::set_len</code>. However, this function <em>must be unsafe</em> -- <code>Vec</code> would be unsound if it were marked as safe. So there is another option besides confusion, legacy, and documentaiton; namely: upholding safety requirements of the module that are crucial for unsafe code elsewhere in the module.</p>
<p>or maybe that is me misunderstanding your terminology; the paper also says unsafe traits serve "purely as documentation feature", which I would disagree with. they are a crucial part of the safety story, as they mark places where extra invariant needs to be manually upheld by clients -- this goes beyond normal documentation.</p>
</blockquote>
<p>What you mention is exactly what we meant with “documentation”. It seems that I need to double-check our use of terminology. Thanks for pointing this out!</p>



<a name="211512197"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211512197" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211512197">(Sep 28 2020 at 16:01)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211484202">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="116109">Vytautas Astrauskas</span> is what I linked the latest version of the paper? it says 2018... I guess SPLASH didnt happen yet so the official version is not even out yet? <em>oops</em></p>
</blockquote>
<p>It is the latest, but not the final version. We are still waiting for the second round results.</p>



<a name="211512651"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211512651" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211512651">(Sep 28 2020 at 16:05)</a>:</h4>
<p><span class="user-mention silent" data-user-id="232545">Joshua Nelson</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211508820">said</a>:</p>
<blockquote>
<p>I'd also be interested in a discussion of unsafe features that don't require the <code>unsafe</code>  keyword</p>
<p>e.g. <a href="https://github.com/rust-lang/rust/issues/28179">https://github.com/rust-lang/rust/issues/28179</a> and <a href="https://github.com/RustSec/advisory-db/issues/275">https://github.com/RustSec/advisory-db/issues/275</a></p>
</blockquote>
<p>Discussion as in my opinion on these things or some specific data about uses of these unsafe features?</p>



<a name="211512748"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211512748" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211512748">(Sep 28 2020 at 16:06)</a>:</h4>
<p>Both, but I think data would be the most helpful ;)</p>



<a name="211515950"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211515950" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211515950">(Sep 28 2020 at 16:31)</a>:</h4>
<blockquote>
<p>Do you mean references to packed fields or structs? I am asking because I do see repr on ADTs, but not on fields. </p>
</blockquote>
<p>Sorry, I used that as a shorthand for "field of packed structs". (More specifically, fields of packed structs that are actually insufficiently aligned for their type -- i.e., a <code>u8</code> field is still safe to take a reference to, and Rust treats it as such)</p>



<a name="211521085"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211521085" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211521085">(Sep 28 2020 at 17:10)</a>:</h4>
<p>Why was it necessary to focus on whether or not the "Rust Hypothesis Holds" in relation to the code review and analysis?</p>



<a name="211521270"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211521270" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211521270">(Sep 28 2020 at 17:12)</a>:</h4>
<p>Isn't there a natural separation of concerns between a languages theory and design and it's 'real-world' application?</p>



<a name="211526755"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211526755" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211526755">(Sep 28 2020 at 17:56)</a>:</h4>
<p>Hey Ralf, thanks a lot for checking out for the paper and for the comments! I think the sentence you refer to is perhaps a little implicitly worded (in particular, what "concerns beyond those that the Rust compiler chooses to associate with unsafe Rust" precisely means. I think we're aiming to say that these are usages of "unsafe" that go beyond what the compiler requires the programmer to write; in these examples, there's nothing (even transitively via called functions) which explicitly forces the programmer to consider adding an "unsafe" and they chose to do so nonetheless. Your <code>Vec::set_len</code> example seems to be a good example of such a case, indeed (the compiler won't ask you to label that function as unsafe, but you indeed should for deeper reasons).</p>



<a name="211527408"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211527408" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211527408">(Sep 28 2020 at 18:01)</a>:</h4>
<p><span class="user-mention" data-user-id="347112">@Alex Summers</span> I see, that's fair. <em>the compiler</em> does not force you to write them. but the "community standard" of ensuring soundness (no UB from safe code) does.<br>
the reason I got confused is that every now and then, the discussion comes up to use <code>unsafe</code> for things unrelated to soundness -- for example, in ye olde times there was talk about keeping <code>mem::forget</code> unsafe to "discourage" its use. The lang team decided against that, but it may well be that community crates do this. that is what I thought you mean when you say "for docs purpose only".</p>



<a name="211527609"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211527609" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211527609">(Sep 28 2020 at 18:02)</a>:</h4>
<p>if one accepts soundness as a given axiom, someone writing a function like <code>set_len</code> does not really have a choice about whether it should be sound or not. it is generally considered a critical bug to not make such a function sound. but of course, the compiler has no way to actually enforce this.</p>



<a name="211531499"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211531499" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211531499">(Sep 28 2020 at 18:35)</a>:</h4>
<p>maybe another way to put it: soundness is not a convention for libraries, it's a prerequisite, the same way that having the correct behavior is a prerequisite</p>



<a name="211531521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211531521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211531521">(Sep 28 2020 at 18:35)</a>:</h4>
<p>it's <em>possible</em> for libraries to be unsound or do the wrong thing, but it's always a bug</p>



<a name="211537658"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211537658" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211537658">(Sep 28 2020 at 19:22)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> Yes - that's a good way of putting it. We were wondering how often this happens, and also whether we could find cases in which unsafe appears to be used to document concerns other than undefined behaviour (which could be another potential reason for a function being labelled as unsafe without anything in its body that the compiler would otherwise complain about). Making this distinction is of course also hard automatically, but I don't think we found too much evidence of either being very common. We can try to clarify these two possibilities in the final final version :)</p>



<a name="211545975"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211545975" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211545975">(Sep 28 2020 at 20:28)</a>:</h4>
<p><span class="user-mention" data-user-id="232545">@Joshua Nelson</span>  Thanks - I totally agree. It's however difficult to detect such usages of unsafe code/keywords automatically; personally I'm very interested to find these cases and stare at them. We used the fact that the keyword occurs somewhere the compiler wouldn't insist on it as a hint (that we could search for over the codebase).</p>



<a name="211569139"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211569139" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211569139">(Sep 29 2020 at 00:48)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> Looking at this again I think we do mean something a bit different w.r.t. unsafe <em>traits</em> (compared with the unsafe on functions that the compiler doesn't require an unsafe for that we discussed above). I believe that the instances of unsafe traits that we identified and then looked into by hand often appeared to use the feature to specify functional guarantees other than those clearly directly concerning  undefined behaviour. For example, <a href="https://doc.rust-lang.org/std/iter/trait.TrustedLen.html">https://doc.rust-lang.org/std/iter/trait.TrustedLen.html</a> -  in contrast with other usages of "unsafe" it (on the surface) appears to be used to document specifications that aren't clearly/only concerned with UB. I think there were some other non-standard-library instances in the dataset too which used unsafe trait to flag certain expected postconditions, but I'd need to check.</p>
<p>Of course, there could be client code (of the trait) which depends on these guarantees in arbitrary ways including to prevent undefined behaviour in some unsafe code somewhere (and maybe there even is such code elsewhere in the standard library; I guess this is what makes <code>TrustedLen</code> an unsafe trait?), but that at least also <em>could</em> be the case for any functional properties. In that sense, it seemed to us that there was less clarity on when a trait should be marked as unsafe or not. In practice, we also observed in the study that unsafe traits are used quite rarely, which we speculated could also be for this reason.</p>



<a name="211569505"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211569505" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211569505">(Sep 29 2020 at 00:54)</a>:</h4>
<p>the way I've heard it described is that traits should be <code>unsafe</code> if <code>unsafe</code> code can depend on them for soundness:</p>
<blockquote>
<p>there could be client code (of the trait) which depends on these guarantees in arbitrary ways including to prevent undefined behaviour</p>
</blockquote>
<p>but not for correctness: <a href="https://doc.rust-lang.org/std/collections/struct.BTreeMap.html">https://doc.rust-lang.org/std/collections/struct.BTreeMap.html</a>, <a href="https://doc.rust-lang.org/std/cmp/trait.Ord.html">https://doc.rust-lang.org/std/cmp/trait.Ord.html</a></p>



<a name="211569566"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211569566" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211569566">(Sep 29 2020 at 00:55)</a>:</h4>
<p>I assume that TrustedLen is used to support things like collecting into a vector without a bounds check. While such a function would need to use unsafe internally anyway, it could not be marked as safe without the TrustedLen unsafe trait, because otherwise safe code could call the function, violating the guarantees with other safe code, and get UB</p>



<a name="211570102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570102">(Sep 29 2020 at 01:03)</a>:</h4>
<p>Hey <span class="user-mention" data-user-id="232545">@Joshua Nelson</span>, thanks for the tip: I think what's unclear to me personally is, as someone writing the trait itself (which aggregates some kind of expected behaviour), if I have a particular postcondition in mind that a certain function is meant to always guarantee, when would I <em>not</em> want to make this an unsafe trait? It seems that this would only have advantages; I'm making clear to client code that this property can be relied upon (as opposed to something which is meant to be the case but cannot be relied upon... I'm not sure when I would want to say that). In that sense, it seems hard to decide based on the property, essentially because it's how the <em>clients</em> of this code will want eventually to use and depend on it which determines whether adding unsafe will be useful/necessary or not.</p>



<a name="211570161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570161">(Sep 29 2020 at 01:04)</a>:</h4>
<p>ah hmm that's an interesting point</p>



<a name="211570188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570188">(Sep 29 2020 at 01:04)</a>:</h4>
<p>I think the difference is that <code>unsafe trait</code> <em>guarantees</em> it is correct, and <code>trait</code> is a little more wishy-washy? but that distinction seems a little vague</p>



<a name="211570203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570203">(Sep 29 2020 at 01:05)</a>:</h4>
<p>Well, it means that all clients will have to <code>unsafe impl</code> your trait now, which is added geiger factor</p>



<a name="211570297"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570297" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570297">(Sep 29 2020 at 01:06)</a>:</h4>
<p>if it's not so important of a guarantee (i.e. it's not performance sensitive and you can live with a panic instead of UB) you might want to skip all the downstream code review effort</p>



<a name="211570310"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570310" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570310">(Sep 29 2020 at 01:06)</a>:</h4>
<p>Hey <span class="user-mention" data-user-id="271719">@Mario Carneiro</span> - that makes sense. I'm certainly not arguing to drop the <code>unsafe</code> in this case, by the way; it's just less clear to me what makes this particular trait warrant the <code>unsafe</code> and not others.</p>



<a name="211570339"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570339" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570339">(Sep 29 2020 at 01:06)</a>:</h4>
<p>This one is important because it's very performance sensitive, given Rust's reliance on good codegen for iterator loops</p>



<a name="211570438"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570438" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570438">(Sep 29 2020 at 01:08)</a>:</h4>
<p>(<span class="user-mention" data-user-id="232545">@Joshua Nelson</span> ) Right - this is kind of my issue :) I think for <code>unsafe</code> on a function there's a clear distinction (say, if we're talking about a precondition property): if the property involved, when violated, will cause undefined behaviour, you'd better put <code>unsafe</code>, otherwise you shouldn't. But that's something you can decide when you implement the function, since (at least for this precondition usage) you know the code and the consequences (hopefully...)</p>



<a name="211570463"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570463" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570463">(Sep 29 2020 at 01:08)</a>:</h4>
<p>Ah sorry; I probably wasn't clear but by "clients" I meant people calling the trait's functions, not people implementing it.</p>



<a name="211570508"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570508" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570508">(Sep 29 2020 at 01:09)</a>:</h4>
<p>For an unsafe trait, you are banking on what unsafe code is going to do with the results of the trait methods, rather than the implementation of the methods themselves</p>



<a name="211570597"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570597" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570597">(Sep 29 2020 at 01:10)</a>:</h4>
<p>Exactly; you have to make the decision when writing the trait, in terms of what you expect the clients (callers) of these functions will eventually rely on. That seems difficult, to me - a caller could always want to rely on my functional behaviour for whatever they like.</p>



<a name="211570638"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570638" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570638">(Sep 29 2020 at 01:11)</a>:</h4>
<p>well usually you wouldn't write an unsafe trait unless you had a particular use-case in mind. The <a href="https://github.com/rust-lang/rust/pull/37306">PR that added TrustedLen</a> also put new unsafe code in <code>Vec::extend</code> that relies on it for soundness</p>



<a name="211570725"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570725" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570725">(Sep 29 2020 at 01:13)</a>:</h4>
<p>but of course a guarantee is a guarantee and users can use TrustedLen functions for other uses too</p>



<a name="211570739"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570739" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570739">(Sep 29 2020 at 01:13)</a>:</h4>
<p>Yeah, I think this makes total sense - the standard library's correctness already depends on the property, so it had better be an <code>unsafe</code> trait</p>



<a name="211570834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570834">(Sep 29 2020 at 01:15)</a>:</h4>
<p>Thanks for the pointer btw - I wasn't sure whether/where there was this dependency, but it seemed likely to exist somewhere :)</p>



<a name="211570889"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570889" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570889">(Sep 29 2020 at 01:16)</a>:</h4>
<p>But I think it's fair to say that if the word <code>unsafe</code> is used then somehow memory safety or other language UB is at stake, possibly elsewhere in the code</p>



<a name="211570971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211570971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211570971">(Sep 29 2020 at 01:18)</a>:</h4>
<p><span class="user-mention silent" data-user-id="271719">Mario Carneiro</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211570203">said</a>:</p>
<blockquote>
<p>Well, it means that all clients will have to <code>unsafe impl</code> your trait now, which is added geiger factor</p>
</blockquote>
<p>I probably think too much in terms of specifications, but my understanding is that all <code>unsafe impl</code> means is "I promise to implement this trait correctly". I would argue that I make that promise for implementing any trait :) And having done it, I'd be happy for others to rely on it (well even better, maybe I'll verify its correctness first...)</p>



<a name="211571012"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571012" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571012">(Sep 29 2020 at 01:19)</a>:</h4>
<p>I make a <code>unsafe</code> promise to the compiler at least, what I'm willing to promise other humans is sometimes a different story</p>



<a name="211571309"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571309" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571309">(Sep 29 2020 at 01:25)</a>:</h4>
<p>The paper its self refers to the mere presence of <code>unsafe</code> to be a "naive query"</p>



<a name="211571514"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571514" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571514">(Sep 29 2020 at 01:29)</a>:</h4>
<p><span class="user-mention" data-user-id="347112">@Alex Summers</span> Hm, an interesting point. I guess I can write the following function:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">fn</span> <span class="nf">test_partial_eq</span><span class="o">&lt;</span><span class="n">T</span>: <span class="nb">PartialEq</span><span class="o">&gt;</span><span class="p">(</span><span class="n">x</span>: <span class="kp">&amp;</span><span class="nc">T</span><span class="p">,</span><span class="w"> </span><span class="n">y</span>: <span class="kp">&amp;</span><span class="nc">T</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="k">if</span><span class="w"> </span><span class="n">x</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">y</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="o">!</span><span class="p">(</span><span class="n">y</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">x</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">        </span><span class="k">unsafe</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">std</span>::<span class="n">hint</span>::<span class="n">unreachable_unchecked</span><span class="p">()</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w">    </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>

<p>and use it to argue that <code>PartialEq</code> should be an <code>unsafe trait</code> because it has some axiomatic guarantees that are now being relied on for soundness in some unsafe code</p>



<a name="211571525"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571525" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571525">(Sep 29 2020 at 01:29)</a>:</h4>
<p><span class="user-mention" data-user-id="271719">@Mario Carneiro</span> I'd argue that the function is unsound <em>specifically because</em> PartialEq isn't unsafe trait</p>



<a name="211571575"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571575" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571575">(Sep 29 2020 at 01:30)</a>:</h4>
<p>or in other words, the author of the trait gets to make the decision, not the user</p>



<a name="211571588"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571588" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571588">(Sep 29 2020 at 01:30)</a>:</h4>
<p>But to Alex's point, what does the documentation of the trait mean then, when it says that a PartialEq implementation should be symmetric?</p>



<a name="211571600"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571600" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571600">(Sep 29 2020 at 01:31)</a>:</h4>
<p>it means that being incorrect is a logic bug, not a soundness bug</p>



<a name="211571612"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571612" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571612">(Sep 29 2020 at 01:31)</a>:</h4>
<p>I sympathize with the POV that says all bugs are bad</p>



<a name="211571663"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571663" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571663">(Sep 29 2020 at 01:32)</a>:</h4>
<p>and some bugs get tool assistance</p>



<a name="211571671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571671">(Sep 29 2020 at 01:32)</a>:</h4>
<p>ok but clearly there's a difference between <code>assert_eq!(1 + 1, 3);</code> and <code>unreachable_unchecked()</code></p>



<a name="211571674"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571674" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571674">(Sep 29 2020 at 01:32)</a>:</h4>
<p>some bugs are worse than others</p>



<a name="211571703"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571703" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571703">(Sep 29 2020 at 01:33)</a>:</h4>
<p><span class="user-mention" data-user-id="271719">@Mario Carneiro</span> Indeed - nice example with <code>PartialEq</code>!</p>



<a name="211571876"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211571876" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211571876">(Sep 29 2020 at 01:37)</a>:</h4>
<p><span class="user-mention" data-user-id="232545">@Joshua Nelson</span> This makes a lot of sense to me too - the difficulty is that you kind have to anticipate how bad the resulting bugs could potentially be in all of your clients' code, here. In this sense, I think it feels to me a lot harder to decide when to use <code>unsafe trait</code> than other <code>unsafe</code> occurrences (and quite different in terms of thinking).</p>



<a name="211590874"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211590874" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211590874">(Sep 29 2020 at 08:00)</a>:</h4>
<blockquote>
<p>For example, <a href="https://doc.rust-lang.org/std/iter/trait.TrustedLen.html">https://doc.rust-lang.org/std/iter/trait.TrustedLen.html</a> - in contrast with other usages of "unsafe" it (on the surface) appears to be used to document specifications that aren't clearly/only concerned with UB. I think there were some other non-standard-library instances in the dataset too which used unsafe trait to flag certain expected postconditions, but I'd need to check.</p>
</blockquote>
<p><span class="user-mention" data-user-id="347112">@Alex Summers</span>  TrustedLen exists because there is code in libstd and probably beyond that would cause UB if the contract is violated. that is exactly what unsafe traits are for. (ah someone already gave a pointer :)</p>
<p>If one did that without marking <code>TrustedLen</code> as <code>unsafe</code>, this would be a critical soundness bug. So I strongly disagree when you say that one could also do this for other traits.</p>



<a name="211590951"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211590951" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211590951">(Sep 29 2020 at 08:01)</a>:</h4>
<p><span class="user-mention silent" data-user-id="232545">Joshua Nelson</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211570188">said</a>:</p>
<blockquote>
<p>I think the difference is that <code>unsafe trait</code> <em>guarantees</em> it is correct, and <code>trait</code> is a little more wishy-washy? but that distinction seems a little vague</p>
</blockquote>
<p>it's not wishy washy -- when you write unsafe code interacting with a safe <code>trait</code>, you have to support every possible safe implementation of that trait, no matter how much it violates the purpose of the trait.</p>



<a name="211591084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591084">(Sep 29 2020 at 08:03)</a>:</h4>
<p><span class="user-mention silent" data-user-id="347112">Alex Summers</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211571876">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="232545">Joshua Nelson</span> This makes a lot of sense to me too - the difficulty is that you kind have to anticipate how bad the resulting bugs could potentially be in all of your clients' code, here. In this sense, I think it feels to me a lot harder to decide when to use <code>unsafe trait</code> than other <code>unsafe</code> occurrences (and quite different in terms of thinking).</p>
</blockquote>
<p>most of the time you could go either way. for example, <code>BTreeMap</code> is full of unsafe code and it has to all "work" (not cause UB) even if the underlying <code>Ord</code> implementation is ridicolous.  This is the price BTreeMap pays for working with a safe trait. The benefit if that users do not have to worry about UB when implementing <code>Ord</code>.</p>



<a name="211591188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591188">(Sep 29 2020 at 08:04)</a>:</h4>
<p>There could be a <code>BTreeMap2</code> that works with an <code>unsafe trait TrustedOrd</code> that can actually rely on the ordering function to be well-behaved when arguing for soundness. I suppose for btrees the benefit of this was considered not worth the cost for users.</p>



<a name="211591262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591262">(Sep 29 2020 at 08:05)</a>:</h4>
<p>So I'd say there is no "anticipating how bad the bugs would be", there is the question of "can I afford to add extra checks whenever I need to know, for soundness, that the trait is implemented in a certain way" (and are such checks even possible).</p>



<a name="211591418"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591418" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591418">(Sep 29 2020 at 08:07)</a>:</h4>
<p>but <code>unsafe trait</code> is indeed very different from some other uses of <code>unsafe</code>; that is the usual issue with <code>unsafe</code> meaning two different things -- some discharge obligations, some introduce them. <code>unsafe trait</code> is very similar to <code>unsafe fn</code> (ignoring for a second that unfortunately <code>unsafe fn</code> also makes the body and <code>unsafe {}</code> block). in both cases the question is "do I need to rely on extra proof by the user to establish soundness". <code>unsafe trait</code> is much more open-ended though, so it is probably the most subtle of them all.</p>



<a name="211591469"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591469" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> lcnr <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591469">(Sep 29 2020 at 08:08)</a>:</h4>
<blockquote>
<p>when you write unsafe code interacting with a safe trait, you have to support every possible safe implementation of that trait</p>
</blockquote>
<p>An interesting example here is sorting. So insertion sort in some C implementations work like this</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">if</span><span class="w"> </span><span class="n">new_elem</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">arr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="n">arr</span><span class="p">.</span><span class="n">insert</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">new_elem</span><span class="p">);</span><span class="w"></span>
<span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="kd">let</span><span class="w"> </span><span class="k">mut</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">arr</span><span class="p">.</span><span class="n">len</span><span class="p">();</span><span class="w"></span>
<span class="w">    </span><span class="k">while</span><span class="w"> </span><span class="n">new_elem</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">arr</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">        </span><span class="n">i</span><span class="w"> </span><span class="o">-=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w">    </span><span class="p">}</span><span class="w"></span>
<span class="w">    </span><span class="n">arr</span><span class="p">.</span><span class="n">insert</span><span class="p">(</span><span class="n">i</span><span class="p">,</span><span class="w"> </span><span class="n">new_elem</span><span class="p">);</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>

<p>this allows us to skip the bounds check of the loop in the current rust implementation which uses <code>for 0..arr.len()</code>.<br>
But if the Ord implementation is broken, e.g. <code>partial_ord(...) -&gt; Ordering { random() }</code> this can results in an oob index.</p>



<a name="211591527"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591527" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591527">(Sep 29 2020 at 08:08)</a>:</h4>
<blockquote>
<p>But if the Ord implementation is broken, e.g. partial_ord(...) -&gt; Ordering { random() } this can results in an oob index.</p>
</blockquote>
<p>Yes, this is a typical example of having to require <code>TrustedOrd</code> to get better performance.</p>



<a name="211591757"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211591757" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211591757">(Sep 29 2020 at 08:11)</a>:</h4>
<p><span class="user-mention silent" data-user-id="271719">Mario Carneiro</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211571612">said</a>:</p>
<blockquote>
<p>I sympathize with the POV that says all bugs are bad</p>
</blockquote>
<p>all bugs are bad, but some make your program meaningless and the assembly just a bunch of happens-to-run garbage, while others "just" make the program do the wrong thing in a well-defined way. I am curious if there is data of how often heisenbugs, remote code execution and similar nasty beasts are UB bugs vs not -- I'd expect the vast majority of them to be UB.<br>
there's a reason bugs care classified by severity, and while non-UB bugs can be severe, UB bugs are severe much more often (or so I think).</p>



<a name="211639566"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211639566" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Summers <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211639566">(Sep 29 2020 at 15:42)</a>:</h4>
<p>Hi <span class="user-mention" data-user-id="120791">@RalfJ</span> , thanks for the comments and pointer! I totally agree and see why <code>TrustedLen</code> needs to be an unsafe trait. I'm less clear on exactly how one should make the same decision again, though... at least in general. In particular, I don't see that this example gives me a strong reason <em>not</em> to declare a trait I'm writing as unsafe; the situations in which the decision is clear to me all seem to be ones in which the <code>unsafe</code> is needed.</p>



<a name="211648260"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211648260" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211648260">(Sep 29 2020 at 16:39)</a>:</h4>
<p>that's fair... if you make a trait safe that is a commitment that no unsafe code will ever rely on its functional contract for safety.</p>



<a name="211655446"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211655446" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211655446">(Sep 29 2020 at 17:28)</a>:</h4>
<p>Isn't it rather that if you make a trait <em>unsafe</em> that is a commitment that no<br>
<em>safe</em> code will rely on its functional contract?</p>



<a name="211657202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211657202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211657202">(Sep 29 2020 at 17:42)</a>:</h4>
<p>Making a trait unsafe means that both safe and unsafe code can rely on the functional contract of said trait.</p>



<a name="211657485"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211657485" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211657485">(Sep 29 2020 at 17:44)</a>:</h4>
<p>When a trait is safe, nobody can rely on the functional contract. For safe code this is not a problem, as it will at most give a wrong result or panic. For unsafe code this is a problem, as it may need certain behavior of the trait impl to prevent UB.</p>



<a name="211658470"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211658470" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211658470">(Sep 29 2020 at 17:51)</a>:</h4>
<p>Never thought about it that way before</p>



<a name="211658566"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211658566" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211658566">(Sep 29 2020 at 17:52)</a>:</h4>
<p>Very interesting <span aria-label="thinking" class="emoji emoji-1f914" role="img" title="thinking">:thinking:</span></p>



<a name="211663403"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211663403" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Henry-Mantilla <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211663403">(Sep 29 2020 at 18:26)</a>:</h4>
<p>To add on this: it is <em>never unsound</em> to mark a non-<code>unsafe</code> function as <code>unsafe</code>, or a non-<code>unsafe</code> trait as <code>unsafe</code>. That would, however, lead to hindering the ergonomics too much, which would cause <code>unsafe { ... }</code> and <code>unsafe impl</code> (the only two places in Rust that can <em>introduce</em> unsoundness  (sometimes indirectly)) to be trivialized, as people would start using it in order to interact with these APIs, should they become ubiquitous.<br>
That's why there is a second <em>tacit</em> expectation, which is to try and only mark as <code>unsafe</code> the functions or the traits, that when wrongly called or when wrongly implemented, introduce unsoundness / ways to trigger UB.</p>
<p>Regarding, in practice, since that has been brought up, the question of "shouldn't I conservativley mark my trait as <code>unsafe</code> in case somebody has <code>unsafe</code> code that would like to rely on my trait invariants?", the rule of thumb is that that "somebody" ought to be within the same crate or workspace as the one defining the trait. At least to begin with.<br>
Should a downstream user ask for an <code>unsafe</code> optimization, an <code>unsafe</code> marker trait can always be added afterwards:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="sd">//! Somebody made a very convincing argument to the stdlib that an `unsafe trait Ord`</span>
<span class="sd">//! would lead to important improvements</span>

<span class="c1">// Then all the authors (here, T-libs) have to do is:</span>

<span class="sd">/// # Safety</span>
<span class="sd">/// They must respect the invariants ... yadda yadda</span>
<span class="k">pub</span><span class="w"> </span><span class="k">unsafe</span><span class="w"> </span><span class="k">trait</span><span class="w"> </span><span class="n">TrustedOrd</span><span class="w"> </span>: <span class="nb">Ord</span> <span class="p">{}</span><span class="w"></span>

<span class="k">unsafe</span><span class="w"> </span><span class="k">impl</span><span class="o">&lt;..</span><span class="p">.</span><span class="o">&gt;</span><span class="w"> </span><span class="n">TrustedOrd</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">SomeStandardLibraryType</span><span class="o">&lt;..</span><span class="p">.</span><span class="o">&gt;</span><span class="w"> </span><span class="p">{}</span><span class="w"></span>
<span class="k">unsafe</span><span class="w"> </span><span class="k">impl</span><span class="o">&lt;..</span><span class="p">.</span><span class="o">&gt;</span><span class="w"> </span><span class="n">TrustedOrd</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">SomeOtherStandardLibraryType</span><span class="o">&lt;..</span><span class="p">.</span><span class="o">&gt;</span><span class="w"> </span><span class="p">{}</span><span class="w"></span>
</code></pre></div>

<p>This way, the downstream user can also go an <code>unsafe impl TrustedOrd for TheirOwnLocalType</code> while also having that impl for the types bundled / accessible by the initial crate (such as stdlib in the example).</p>
<p>TL,DR: Adding an <code>unsafe trait</code> "extension" to a trait can always be done afterwards / as an afterthought.</p>
<p>But in practice, it is rather <strong>the other way around</strong>: the crate author has a function using <code>unsafe</code> code that can be made generic over some behavior, but mis-implementing the behavior could cause UB with that implementation. The crate author thus then wraps that behavior within an <code>unsafe trait</code>, allowing extensionability from downstream crates, without breaking the soundness model</p>



<a name="211688047"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211688047" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211688047">(Sep 29 2020 at 21:38)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211423297">said</a>:</p>
<blockquote>
<p>That metadata database much have cost a fortune to build, since you have to compile every single crate from <a href="http://crates.io">crates.io</a>. <br>
I've attempted some source code analysis on <a href="http://crates.io">crates.io</a> in the past, but didn't go beyond <code>rg</code> queries.<br>
I did get a rough measure of the percentage of unsafe code though: <a href="https://www.reddit.com/r/rust/comments/g0wu9b/">https://www.reddit.com/r/rust/comments/g0wu9b/</a></p>
</blockquote>
<p>some prior art here:</p>
<ul>
<li><a href="https://github.com/praezi/rust">https://github.com/praezi/rust</a></li>
<li><a href="http://pure.tudelft.nl/ws/portalfiles/portal/46926997/main2.pdf">http://pure.tudelft.nl/ws/portalfiles/portal/46926997/main2.pdf</a></li>
</ul>



<a name="211688123"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211688123" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211688123">(Sep 29 2020 at 21:39)</a>:</h4>
<p>I think there was another more recent attempt to do the same thing</p>



<a name="211688168"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211688168" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211688168">(Sep 29 2020 at 21:40)</a>:</h4>
<p>global call graph database of all crates, that is</p>



<a name="211746039"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211746039" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211746039">(Sep 30 2020 at 11:27)</a>:</h4>
<p><span class="user-mention silent" data-user-id="132721">Tony Arcieri</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211688168">said</a>:</p>
<blockquote>
<p>global call graph database of all crates, that is</p>
</blockquote>
<p><a href="https://arxiv.org/pdf/2007.00752.pdf">https://arxiv.org/pdf/2007.00752.pdf</a></p>



<a name="211800105"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211800105" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211800105">(Sep 30 2020 at 18:18)</a>:</h4>
<p>They use the term "escape hatch" as well</p>



<a name="211817869"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211817869" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211817869">(Sep 30 2020 at 20:45)</a>:</h4>
<p><span class="user-mention silent" data-user-id="281739">Oliver</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211800105">said</a>:</p>
<blockquote>
<p>They use the term "escape hatch" as well</p>
</blockquote>
<p>I think this is a pretty standard way of explaining the point of unsafe code to non-Rust programmers. If I recall correctly, the first time I heard this expression from Ralf when he was explaining Rust Belt to someone several years ago.</p>



<a name="211858864"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211858864" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211858864">(Oct 01 2020 at 01:05)</a>:</h4>
<p>Here is something that just came across my desk: <a href="https://arxiv.org/abs/2003.03296">https://arxiv.org/abs/2003.03296</a><br>
of course there have probably been pre-prints floating around</p>



<a name="211867024"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211867024" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211867024">(Oct 01 2020 at 04:01)</a>:</h4>
<p>that's super cool, thanks!</p>



<a name="211867174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211867174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211867174">(Oct 01 2020 at 04:04)</a>:</h4>
<p>As I was reading the paper I also came back to comment about <code>set_len</code>; I'm glad to see that conversation already happened.</p>
<p>That's yet more evidence that lang should perhaps consider that "<code>unsafe</code> field" feature we keep talking about.  I guess it doesn't solve it completely, so might even make it more confusing because there'd be even fewer places where the "unsafe impacts the whole module" can be demonstrated...</p>



<a name="211912564"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211912564" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211912564">(Oct 01 2020 at 13:49)</a>:</h4>
<p>I'm not familiar with the context behind so-called <code>unsafe</code> fields. Generally<br>
this is addressing the point that Rust is more vulnerable to dangling pointers?</p>



<a name="211912853"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211912853" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211912853">(Oct 01 2020 at 13:51)</a>:</h4>
<p>One of the ideas here I hadn't encountered is that the use of <code>unsafe</code><br>
might be more restricted.</p>



<a name="211913082"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211913082" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211913082">(Oct 01 2020 at 13:53)</a>:</h4>
<p>The idea is that accessing an <code>unsafe</code> field requires an <code>unsafe</code> block even if all you're doing is writing to a <code>usize</code> field</p>



<a name="211913120"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211913120" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211913120">(Oct 01 2020 at 13:53)</a>:</h4>
<p>this would communicate that modifying the field can violate invariants that unsafe code elsewhere expects to hold</p>



<a name="211913181"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211913181" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211913181">(Oct 01 2020 at 13:53)</a>:</h4>
<p>basically it would allow making the <code>len</code> field of <code>Vec</code> public (not that I argue we should do that, but we could and it would be sound)</p>



<a name="211916223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211916223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211916223">(Oct 01 2020 at 14:12)</a>:</h4>
<p>In terms of more restricted <code>unsafe</code> the authors advocate the compiler look into<br>
<code>unsafe</code> blocks to better validate integrity of the drop scheme. This seems like<br>
a not un-obvious or wholly bad idea.</p>



<a name="211918428"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211918428" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211918428">(Oct 01 2020 at 14:27)</a>:</h4>
<p><a href="/user_uploads/4715/jOsJuj1kvajwmecE6tkXV5Gc/image.png">image.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/jOsJuj1kvajwmecE6tkXV5Gc/image.png" title="image.png"><img src="/user_uploads/4715/jOsJuj1kvajwmecE6tkXV5Gc/image.png"></a></div>



<a name="211919781"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211919781" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211919781">(Oct 01 2020 at 14:35)</a>:</h4>
<p><span class="user-mention silent" data-user-id="124288">oli</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211913082">said</a>:</p>
<blockquote>
<p>The idea is that accessing an <code>unsafe</code> field requires an <code>unsafe</code> block</p>
</blockquote>
<p>This reminds me of a comment to the effect that wrapping a single <code>unsafe</code><br>
function call in a macro is definitely an anti-pattern</p>



<a name="211920063"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211920063" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211920063">(Oct 01 2020 at 14:37)</a>:</h4>
<p>macros don't affect unsafety checks, you'd still need an <code>unsafe</code> block around it</p>



<a name="211920293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211920293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211920293">(Oct 01 2020 at 14:39)</a>:</h4>
<p>Yes it's in-line with that</p>



<a name="211921052"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211921052" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211921052">(Oct 01 2020 at 14:44)</a>:</h4>
<p><a href="/user_uploads/4715/MpkdSwKjLvmZ90Q-1eUZthIn/image.png">image.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/MpkdSwKjLvmZ90Q-1eUZthIn/image.png" title="image.png"><img src="/user_uploads/4715/MpkdSwKjLvmZ90Q-1eUZthIn/image.png"></a></div>



<a name="211922994"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211922994" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211922994">(Oct 01 2020 at 14:56)</a>:</h4>
<p><a href="/user_uploads/4715/E2ZBLIBuWwtzckzfNDTBa9rm/image.png">image.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/E2ZBLIBuWwtzckzfNDTBa9rm/image.png" title="image.png"><img src="/user_uploads/4715/E2ZBLIBuWwtzckzfNDTBa9rm/image.png"></a></div>



<a name="211923212"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211923212" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211923212">(Oct 01 2020 at 14:58)</a>:</h4>
<p><span class="user-mention silent" data-user-id="281739">Oliver</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211921052">said</a>:</p>
<blockquote>
<p><a href="/user_uploads/4715/MpkdSwKjLvmZ90Q-1eUZthIn/image.png">image.png</a></p>
</blockquote>
<p>that rust example could just be <code>let y = &amp;mut x; *y = A { name: "y" };</code> I think</p>



<a name="211923258"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211923258" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211923258">(Oct 01 2020 at 14:58)</a>:</h4>
<p>since it seems the point of the example is drop itself, not the <code>unsafe</code></p>



<a name="211923289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211923289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oli <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211923289">(Oct 01 2020 at 14:58)</a>:</h4>
<p>the C++ example is also not the same code as the Rust example, so it seems odd to compare</p>



<a name="211923291"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211923291" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211923291">(Oct 01 2020 at 14:58)</a>:</h4>
<p>also small point of correction: the previous value is dropped when you <em>overwrite</em> it, not when the function returns</p>



<a name="211923338"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211923338" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211923338">(Oct 01 2020 at 14:59)</a>:</h4>
<p><span class="user-mention silent" data-user-id="124288">oli</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211923289">said</a>:</p>
<blockquote>
<p>the C++ example is also not the same code as the Rust example, so it seems odd to compare</p>
</blockquote>
<p>yeah the rust one should use Box to be consistent</p>



<a name="211923492"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211923492" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211923492">(Oct 01 2020 at 15:00)</a>:</h4>
<p><a href="/user_uploads/4715/E1OSkiixYOuGuDsCYwPvAtR6/image.png">image.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/E1OSkiixYOuGuDsCYwPvAtR6/image.png" title="image.png"><img src="/user_uploads/4715/E1OSkiixYOuGuDsCYwPvAtR6/image.png"></a></div>



<a name="211924324"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/211924324" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#211924324">(Oct 01 2020 at 15:05)</a>:</h4>
<p><a href="/user_uploads/4715/dV8hKXcAM7EKcFKLjLQFUu50/image.png">image.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/dV8hKXcAM7EKcFKLjLQFUu50/image.png" title="image.png"><img src="/user_uploads/4715/dV8hKXcAM7EKcFKLjLQFUu50/image.png"></a></div>



<a name="212010293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212010293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212010293">(Oct 02 2020 at 06:26)</a>:</h4>
<p><span class="user-mention" data-user-id="281739">@Oliver</span> The idea behind "<code>unsafe</code> fields" is to remove the <code>set_len</code> confusion by making field access unsafe -- that way <code>set_len</code> _would_ have unsafe code in the body and wouldn't be picked up by the (misguided) "search for unsafe functions whose body contains only safe Rust code".</p>
<p>Basically adding an "unsafe encapsulation" to the existing privacy encapsulation, as a way to help focus auditing (though I'm not sure whether it would be sufficient to change the current "you must audit the entire module" rule).</p>



<a name="212097662"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212097662" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212097662">(Oct 02 2020 at 16:29)</a>:</h4>
<p>Conceptually that makes a lot of sense. That would be why code improvements like<br>
the following aren't really in scope<br>
<a href="https://github.com/rust-lang/rust/pull/77318">https://github.com/rust-lang/rust/pull/77318</a></p>



<a name="212163840"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212163840" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212163840">(Oct 03 2020 at 09:59)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116109">Vytautas Astrauskas</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211817869">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="281739">Oliver</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211800105">said</a>:</p>
<blockquote>
<p>They use the term "escape hatch" as well</p>
</blockquote>
<p>I think this is a pretty standard way of explaining the point of unsafe code to non-Rust programmers. If I recall correctly, the first time I heard this expression from Ralf when he was explaining Rust Belt to someone several years ago.</p>
</blockquote>
<p>yeah, I think I took that term from Derek. it usually seems to instill the right idea at least in PL researchers.^^</p>



<a name="212180026"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212180026" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212180026">(Oct 03 2020 at 16:55)</a>:</h4>
<p>"usually" <span aria-label="eyes" class="emoji emoji-1f440" role="img" title="eyes">:eyes:</span> <span aria-label="laughing" class="emoji emoji-1f606" role="img" title="laughing">:laughing:</span></p>



<a name="212180442"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212180442" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212180442">(Oct 03 2020 at 17:05)</a>:</h4>
<p>Well that's the best we can hope for when throwing syllables at each other in the hope that something sticks.^^</p>



<a name="212214290"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212214290" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> teor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212214290">(Oct 04 2020 at 09:15)</a>:</h4>
<p>Languages are hard</p>



<a name="212795407"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212795407" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212795407">(Oct 09 2020 at 08:19)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/211515950">said</a>:</p>
<blockquote>
<blockquote>
<p>Do you mean references to packed fields or structs? I am asking because I do see repr on ADTs, but not on fields. </p>
</blockquote>
<p>Sorry, I used that as a shorthand for "field of packed structs". (More specifically, fields of packed structs that are actually insufficiently aligned for their type -- i.e., a <code>u8</code> field is still safe to take a reference to, and Rust treats it as such)</p>
</blockquote>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> Do you basically want the list of places for which the compiler “requires” an unsafe block with a reason “borrow of packed field”?</p>



<a name="212795536"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212795536" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212795536">(Oct 09 2020 at 08:20)</a>:</h4>
<p>Here is the list of all functions for which the compiler generates this reason: <a href="/user_uploads/4715/cizrJYGt5M4FVGhvt4XTSSHl/packed_fields.csv">packed_fields.csv</a>.</p>



<a name="212795731"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212795731" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212795731">(Oct 09 2020 at 08:22)</a>:</h4>
<p>There are 326 such functions coming from 41 crate.</p>



<a name="212795862"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212795862" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212795862">(Oct 09 2020 at 08:24)</a>:</h4>
<p>Unfortunately, we do not have the precise position information of each reason and, therefore, I cannot tell you which of these uses are already wrapped in unsafe blocks.</p>



<a name="212796461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212796461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212796461">(Oct 09 2020 at 08:30)</a>:</h4>
<p>However, 41 crate seems to be a small enough number to try to compile them on our infrastructure or Crater and then grep the logs for the compiler warning.</p>



<a name="212911418"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212911418" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212911418">(Oct 10 2020 at 11:18)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116109">Vytautas Astrauskas</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/212795862">said</a>:</p>
<blockquote>
<p>Unfortunately, we do not have the precise position information of each reason and, therefore, I cannot tell you which of these uses are already wrapped in unsafe blocks.</p>
</blockquote>
<p>oh that's okay, this should not be allowed even inside unsafe blocks</p>



<a name="212911504"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212911504" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212911504">(Oct 10 2020 at 11:21)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116109">Vytautas Astrauskas</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/212795536">said</a>:</p>
<blockquote>
<p>Here is the list of all functions for which the compiler generates this reason: <a href="/user_uploads/4715/cizrJYGt5M4FVGhvt4XTSSHl/packed_fields.csv">packed_fields.csv</a>.</p>
</blockquote>
<p>this is great, thanks a lot :)</p>
<p>could you make this file available in <a href="https://github.com/rust-lang/rust/issues/27060">https://github.com/rust-lang/rust/issues/27060</a> somehow?</p>



<a name="212913543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/212913543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#212913543">(Oct 10 2020 at 12:24)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/212911504">said</a>:</p>
<blockquote>
<p>could you make this file available in <a href="https://github.com/rust-lang/rust/issues/27060">https://github.com/rust-lang/rust/issues/27060</a> somehow?</p>
</blockquote>
<p><a href="https://github.com/rust-lang/rust/issues/27060#issuecomment-706540964">Done</a></p>



<a name="213157765"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213157765" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213157765">(Oct 13 2020 at 13:58)</a>:</h4>
<p><span class="user-mention" data-user-id="347112">@Alex Summers</span> I'm probably too late with this, but I'm curious what % of all Rust code on <a href="http://crates.io">crates.io</a> is unsafe. I didn't see this explicitly stated in the paper. I like this metric because it isn't skewed by crates that are used purely for name-squatting and contain little to no code, yet would be counted in "% of crates that don't use unsafe code".</p>



<a name="213160370"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213160370" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213160370">(Oct 13 2020 at 14:14)</a>:</h4>
<p><span class="user-mention silent" data-user-id="127617">Shnatsel</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/213157765">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="347112">Alex Summers</span> I'm probably too late with this, but I'm curious what % of all Rust code on <a href="http://crates.io">crates.io</a> is unsafe. I didn't see this explicitly stated in the paper. I like this metric because it isn't skewed by crates that are used purely for name-squatting and contain little to no code, yet would be counted in "% of crates that don't use unsafe code".</p>
</blockquote>
<p>MIR total statement count: 334168941<br>
MIR statement count in user-written unsafe code: 14525076 (4.35%)<br>
MIR statement count in all unsafe code: 16132548 (4.83%)</p>



<a name="213163502"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213163502" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213163502">(Oct 13 2020 at 14:33)</a>:</h4>
<p>Oh, this lines up with the LoC numbers I got far better than I expected. Thanks!</p>



<a name="213688678"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213688678" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213688678">(Oct 18 2020 at 05:03)</a>:</h4>
<p>heard that macros are the only "escape hatches"</p>



<a name="213721845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213721845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> oliver <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213721845">(Oct 18 2020 at 19:39)</a>:</h4>
<p>meaning that all macros are escape hatches not just the unsafe macro</p>



<a name="213974630"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213974630" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213974630">(Oct 20 2020 at 20:22)</a>:</h4>
<p>unsafe is not a macro</p>



<a name="213974647"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213974647" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213974647">(Oct 20 2020 at 20:22)</a>:</h4>
<p>and I wouldn't describe macros as escape hatches really</p>



<a name="213974698"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213974698" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213974698">(Oct 20 2020 at 20:23)</a>:</h4>
<p>except in the sense they're more flexible than other things that go through the type system; but the code they generate is still type-checked after being expanded</p>



<a name="213983349"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213983349" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213983349">(Oct 20 2020 at 21:45)</a>:</h4>
<p>macros are arguably <em>syntax</em> escape hatches, but not <em>safety</em> escape hatches.</p>



<a name="213988053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213988053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213988053">(Oct 20 2020 at 22:35)</a>:</h4>
<p><a href="https://docs.rs/plutonium/">https://docs.rs/plutonium/</a> heh</p>



<a name="213989069"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213989069" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213989069">(Oct 20 2020 at 22:49)</a>:</h4>
<p>That advisory is technically yanked, I think we should un-yank it.</p>



<a name="213989909"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213989909" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213989909">(Oct 20 2020 at 23:00)</a>:</h4>
<p>haha yeah</p>



<a name="213989924"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213989924" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213989924">(Oct 20 2020 at 23:00)</a>:</h4>
<p>lol this is fun: <a href="https://docs.rs/plutonium/0.5.2/plutonium/macro.optimize.html">https://docs.rs/plutonium/0.5.2/plutonium/macro.optimize.html</a></p>



<a name="213989935"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/213989935" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#213989935">(Oct 20 2020 at 23:00)</a>:</h4>
<p>maybe don't mix that with <code>zeroize</code></p>



<a name="214031166"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214031166" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214031166">(Oct 21 2020 at 10:11)</a>:</h4>
<p><span class="user-mention silent" data-user-id="132721">Tony Arcieri</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/213988053">said</a>:</p>
<blockquote>
<p><a href="https://docs.rs/plutonium/">https://docs.rs/plutonium/</a> heh</p>
</blockquote>
<p>This example makes me wonder whether I should write a simple website that allows querying cargo geiger style information from our database. Since we are using the information from the compiler, for us it is much easier to find all unsafe code and precisely identify its origin.</p>



<a name="214031400"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214031400" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214031400">(Oct 21 2020 at 10:14)</a>:</h4>
<p>Cargo geiger, for example, has a problem that if you mix it with cargo expand, then it most likely will start reporting false positives such as unsafe code generated by the compiler itself. (For example, <code>#[derive(PartialEq)]</code> emits unsafe code for enums.)</p>



<a name="214129970"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214129970" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214129970">(Oct 22 2020 at 00:04)</a>:</h4>
<p>I may have done a bad thing in the <code>cargo-geiger</code> vs <code>plutonium</code> arms race: <a href="https://github.com/mxxo/plutonium/issues/1">https://github.com/mxxo/plutonium/issues/1</a></p>



<a name="214130102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214130102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214130102">(Oct 22 2020 at 00:06)</a>:</h4>
<p>you need some <a href="https://github.com/lukaslueg/volkswagen/">https://github.com/lukaslueg/volkswagen/</a></p>



<a name="214130271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214130271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214130271">(Oct 22 2020 at 00:09)</a>:</h4>
<p>haha yeah exactly</p>



<a name="214208380"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214208380" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214208380">(Oct 22 2020 at 16:01)</a>:</h4>
<p>Crisis averted. @mxxo doesn't want to implement it.</p>



<a name="214339791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/How%20do%20programmers%20use%20unsafe%20Rust%3F/near/214339791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F.html#214339791">(Oct 23 2020 at 17:09)</a>:</h4>
<p><span class="user-mention silent" data-user-id="132721">Tony Arcieri</span> <a href="#narrow/stream/146229-wg-secure-code/topic/How.20do.20programmers.20use.20unsafe.20Rust.3F/near/213989924">said</a>:</p>
<blockquote>
<p>lol this is fun: <a href="https://docs.rs/plutonium/0.5.2/plutonium/macro.optimize.html">https://docs.rs/plutonium/0.5.2/plutonium/macro.optimize.html</a></p>
</blockquote>
<p>oh wow I didn't realize they added more such great macros to the crate^^</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>